On August 16, 2016, Public Safety Canada (“PSC”) issued a consultation paper, launching a public consultation as part of PSC’s development of an updated national cybersecurity strategy (the “Consultation Paper”). The consultation will close on October 15, 2016. Businesses may want to consider making submissions in respect of some key questions posed around possible regulation or standard–setting regarding Internet of Things and connected devices, certification for E–commerce activities, and information sharing (especially in respect of critical infrastructure).

Background

In 2010, PSC released the first Canadian national cyber security strategy—“Canada’s Cyber Security Strategy” (the “2010 Strategy”). The 2010 Strategy provided, for the first time, a governmental overview of cybersecurity threats to Canadian businesses, citizens, infrastructure and governmental agencies. The 2010 Strategy described the priorities of the Government of Canada in its efforts to secure against cyber threats and to develop cybersecurity technology.

The 2010 Strategy focused on three objectives: (1) Securing Government systems; (2) Partnering to secure vital cyber systems outside the federal Government; and (3) Helping Canadians to be secure online.

Since the introduction of the 2010 Action Plan, the Government of Canada invested more than CAD 244 million, with most of the funds allocated to securing governmental systems.[1]

As part of the 2010 Action Plan, the government promoted a significant legislative development in the form of the Digital Privacy Act (Bill S–4), which amended the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (see our earlier blog post here).

The current consultation

Six years has passed since the introduction of the 2010 Strategy, a period that saw extraordinary advancements in cyber–technology. PSC now wishes to renew and expand its cybersecurity strategy so that it reflects advances in technologies and positions Canada to better engage future technologic developments.

The Consultation Paper is comprised of three parts. The first part seeks input from the public on a variety of cybersecurity issues including cybercrime and cyber–policing, E-commerce, standardization, critical infrastructure, and growth and innovation.

The second part of the Consultation Paper establishes the five principles that will apply to the new cybersecurity strategy:

Recognize the importance of cyber security for business and economic growth.

Collaborate and coordinate across jurisdictions and sectors.

Adapt to respond to emerging technologies and changing conditions.

The third part of the Consultation Paper identifies three Key Action Areas, providing insight into what may very well be the action plan that will follow the new cybersecurity strategy (similar to the 2010 Action Plan) and will be of particular interest to business:

Resilience: This area focuses on prevention, mitigation, and response to cyberattacks, and increasing public engagement. Under this section PSC may promote certification of business, guidelines regarding corporate governance policies relating to cybersecurity, and increased public awareness.

Cooperation and capability: This area focuses on development of skills and resources for effective cyber security, including through educational and training programs, enabling information sharing within the private sector, and the creation of a national cybercrime coordination centre.

Cyber innovation: This area focuses on initiatives that will allow anticipation of, and adaptation to, new trends in cybersecurity. To this end, PSC is seeking to promote projects that will identify opportunities based on data analysis, support R&D in areas such as quantum computing, 3D printing, and virtual reality, and initiate private-public partnerships to create innovation hubs.

Takeaways for businesses

While many of the questions posed in the Consultation Paper focus on public education and cybercrime prevention, there are some key questions for which business may wish to have input. Notably:

Protecting against advanced threats:

What do public and private sector organizations need to in order to protect themselves from advanced cyber threats (for example, tools, capacity, information)?

What are the constraints to information sharing on advanced cyber threats and associated vulnerabilities?

Strengthening consumer confidence in e-commerce:

How can Canadian businesses be encouraged to adopt better cyber security regimes—particularly small and medium enterprises?

Embracing new cyber-secure technologies:

What steps should be taken to ensure that networked and emerging technologies (like Internet of Things and apps) are cyber secure?

Protecting critical infrastructure:

What are the barriers to strengthening cyber systems in critical infrastructure (within and across sectors)?

What are the constraints to information sharing and engagement related to protecting cyber systems of Canada’s critical infrastructure?

Businesses working in these areas, or affected by developments (particularly potential regulatory developments) in these areas, may be interested in making submissions.

Share this:

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at editor@firstreference.com. If you liked this post and would like to subscribe to Inside Internal Controls blog click here.